Specifying a dynamic authorization header for a REST API datastore
When you configure an authentication source with an application, you can use the access token from the connection as a bearer token in an authorization header to receive additional information as needed.
About this task
The access token used in the authorization header can originate from various upstream sources within the PingFederate policy, such as identity provider (IdP) adapters that generate and retrieve access tokens or connections to external IdPs that provide access tokens upon successful authentication.
Before you begin
-
Create a service provider (SP) or IdP connection.
-
Configure an IdP authentication policy for the connection.
Steps
-
Get the access token that you plan to use as a bearer token.
After you’ve made the connection, you can find the access token attribute name in
<pf_install>/pingfederate/log/server.log
in debug mode.The access token name is generated based on your specific PingFederate configuration.
-
On the Configure Data Source Filters page, in the Authorization Header field, enter the access token attribute name.
You can reference attribute values in the form of
${attributeName:-defaultValue}
. The default value is optional. When specified, it is used at runtime if the attribute value isn’t available. Do not use${
and}
in the default value.
Example
Authorization headers
Sample Authorization Header entries are shown here:
-
For a Yahoo OpenID Connect Connection:
Bearer $\{idp.https://api.login.yahoo.com.access_token}
-
For a Google OpenID Connect Connection:
Bearer $\{idp.https://accounts.google.com.access_token}
-
For an adapter:
Bearer ${adapter.myadapterid.token}